Seeing cybercrime as a business helps to fuel new combat strategies

Picture Bob. He thinks he’s figured out how to avoid paying for cable TV by watching programs streamed from pirate websites. One day, he’s watching a live football broadcast and ten minutes into the game, he loses all access. His screen goes blank. Is ruining the user experience on pirated sites a new combat strategy?

Seeing it differently
Degrading user experience may not be the first thing that comes to mind when considering how to combat cybercrime. But the more times a user loses access unexpectedly, the more likely it is that he’ll seek other, legitimate ways to view sports and movies—even if those aren’t free.

It’s important to realize that cybercriminals operate with the same business structures as a legitimate enterprise organization. They have customers to satisfy. They conduct research and development. They produce and then distribute their products and services.

Cybercriminals are no longer shadowy loners working in isolation. Cybercrime is a complex network of people functioning in roles quite familiar to all enterprise organizations. In reality, hackers consider their ROI. They compete for capital. Some are computer scientists or have MBAs. They’re using the same tools and techniques as enterprise businesses —e.g. big data analytics and machine learning.

Once we make the mind-shift to see cybercrime as it truly is, a competing business entity, the more effective we’ll be at combating our adversaries.

Declare war on the hackers’ ROI
The “cybercrime as a business” perspective suggests new approaches such as, “How can we drive up their cost of R&D?” “How can we make their operations more expensive?” “How can you make it difficult for cybercrime syndicates to scale their operations?”

One particularly powerful strategy is polymorphism. It’s where a simple piece of code appears far lengthier and complex when viewed by hackers. Every time an attacker accesses code protected in this way, it automatically transforms into a more complex appearance.

Polymorphism forces attackers to invest far more in reverse engineering. The more times a hacker must go through the painstaking process of reverse engineering, the greater their investment and the lower their ROI.

And it’s not just the media industry that can benefit. Dynamic polymorphism can prove very effective in the banking industry, for instance. Under the PSD2 directive, banks have to open their APIs so third parties can initiate transactions. Here, dynamic polymorphism would be ideal because a single-use code for the web application, generated anew with each transaction, makes access available only for a very limited period of time. The aim is to radically reduce the life expectancy of any cyber asset a hacker might manage to obtain.

A change of strategy
It’s easy for security companies and technologists to get focused on making our stuff more secure. But, maybe our real job is to make the hackers’ lives and business models uneconomic. Proceeding from this premise, you begin to ask very different questions and devise much more effective strategies against the hackers.